Cyber Attack Defenders

Blog

Today’s security strategies are predicated on attacks being technology based. Even after dismissing perimeter defense as passé, vendors point to end-point defense, east/west containers, internal network defense, catching Indicators of Compromise (IoCs) early, pitting our technological defenses against the hackers. In fact, a key factor for most high-profile government breaches has been social engineering. This includes the latest DoJ/DHS breach that put a lot of government employee’s contact information on the street.

The hacker reportedly compromised the Email account of a DOJ employee and then, posing as that employee, persuaded DOJ tech support to provide a token code to access the DOJ web portal. Sure, this social engineering scheme should not have worked (and will not be repeated, we hope). However, experience shows that someone else will come up with a new and even more compelling social engineering scheme to abuse tech support at an agency. These bad actors are simply the newest form of conmen.

Modern conmen aren’t the slick smiling guys who schmooze old ladies out of their retirement savings. Today’s conmen are “Microsoft tech support” and “The IRS” for the average person sitting at home. And at federal agencies, the conmen are the helpless employees calling tech support because they forgot their password or token code. Remember the high profile Pentagon breaches that occurred because of well-crafted phishing Emails? Again, conmen.

Security experts are trying to fight a war of wits with technology and losing.

Why is this happening? Because the left hand isn’t talking the right hand. Half the time when I talk to agencies, the network team runs some security tools, the tech support team runs patching and AV (don’t get me started). The security team might, just might, own the firewall. Maybe. Hey, at least they own the SIEM. But do you think every system that should send syslog does? Don’t bet on it. When you’re dealing with conmen the only way to catch them is communication. Anyone who has read the “Winnie the Pooh’s New Clothes” remembers that the reason the Sly Fox could con everyone was because they were too afraid to look “un-wise” to talk to each other. Sound familiar?

Even if I could wave a magic wand and put all the security infrastructure in the hands of the SOC, it wouldn’t solve the biggest problem, which is the need to synchronize all the security tools and data into one integrated, automated infrastructure. I am frustrated when I see a SIEM as the only integration point. Just because all the logs from various security tools end up in one repository that an agency can query or write correlation rules against, it does not mean the security infrastructure is integrated and automated.

We need threats to be identified locally as they occur and shared across heterogeneous resources. The SDN controls need to be told to quarantine an endpoint when the malware analysis comes back convicting. The NAC needs to be told what to look for when a device re-enters the environment from the outside. (Did you see the Tripwire Airport WiFi report? UGH.)

There is so much more to say on this, but you get the picture. This needs to happen and requires that the products from companies like PaloAlto, ForeScout, VMware and others are implemented to work together. The industry is doing some work on this, but not enough. Fed Agencies need to take advantage of the integrations available and also demand more cooperation as well.